Internet browser security took a beating during Day 1 of an annual hacking competition, with Apple's Safari, Microsoft's Internet Explorer and Mozilla's Firefox all being felled in a matter of hours.
The uncontested champion of the contest was a University of Oldenburg, master's candidate, who managed to fell Safari, IE 8 and …

I wonder

Opera and Chrome

Shame they didn't include Opera.

I can't help but wonder if it's because it's not open source? How many of these clever hackers spend months looking through the source code of webkit and mozilla looking for flaws, before turning up and seemingly finding a hole within hours? IE is closed sources, but it's from the evil beast and the percesption is that it's the worst browser for security right now, so they can hardly leave that out of the test.

It's not as if Opera doesn't have a few security holes occasionally, but it's surely easier to find them when it's open source.

And there's no mention of Chrome either, with it's fancy architecture that's supposed to stop problems in one tab affecting the rest of the browser.

What no linux?

Checking the tipping point website shows that no computers using linux are involved.... must be because ubuntu made them cry last time. Before the usual wha, wha, linux is not that popular to be exploited. The via laptop is running Windows 7?!!!!! How many have that. At least microcrud is consistent. You exploites will still be compatible with their new OS.

Wonder if a deal was done to keep linux out of the picture so that there would be no headlines of linux not being exploitable.

pointless

I run both Windows and OSX on my PC's so I have no axe to grind, but seriously this is a pointless contest as the "contestants" are using bugs they discovered months or years ago and didn't tell anyone, just so they could show how clever they are, Clever would be telling the OS providers so they could fix the problem before innocent people get hacked, cos these numpties didn't tell anyone about the bug in question.

Any software is hackable, end of story, and particularly if you can get the operator to install the hack!

Opera Too

Contests a sham

Back when it was attack the os it was as exciting as wathcing the grass grow with 500,000 attempts and no progress at hacking. They had to make it easy and picked the large surface attack vector of browsers. All browsers will fall as they have the most hostile environment and job parsing good and bad html and ecmascript and all sorts of nasties.

The contest is now lame and reeks of easy low hanging fruit discoveries that are kept private soley for the chance to score a free computer and money in as little time as possible.

But...

It couldn't be that they are just as vulnerable but that hackers and virus writers don't bother targetting them due to the fact that there as so few of them in comparrison to PCs. That would just be silly. You'll be saying that I-Pods actually give rubbish sound quality next. Lies. All lies!

I can only presume

that whilst trying to develop exploits for these browsers, they donned the mantle of most stupid user ever in addition to that of uber hacker. In other words they used the browsers in the most irresponsible way, clicking on any link rendered by the browser, and obviously links to their own exploit code. Did they also use these browsers without any limits on what 3rd party web extension code (ActiveX, Java, Flash etc.,etc) could do.

I am not trying to defend insecure coding by any of the developers of these browsers, what I am saying is that security begins and ends with the user. They certainly would have had a harder time exploiting the browser of web wise users who don't automatically trust every link rendered, who do take measures to limit the the ability of third party code to execute and have a healthy paranoia of the web in general.

"Still, browsers have a lot of problems. It's really a lot of codes that are exposed to the internet."

Not to mention the underlying OS if one uses a browser that is so tightly integrated with the OS that it is hard to determine where browser ends and OS begins.

The use of a computer has been dumbed down to the point that having an IQ which barely reaches double figures is sufficient to use one. Now whilst this maybe seen as a good thing, it is also very dangerous. There are child proof lids on medicine bottles for a reason.

The average computer/web user is far easier to exploit than the underlying technology he/she uses to access the web (with the exception of a certain operating system). I would be impressed if an exploit was developed for any of those browsers exploited that did not require user interaction.

Anyone manage...

Sitting on a bug for 12 months!

for shaaaame!

people saying words to the effect of 'shame on nils for sitting on a bug for 12 months' should realize that 'nils' is not a professional security researcher and might have better things to do than give free bug reports to Apple/Moz/MS. If he finds a bug, he is under no obligation to report it -- if he wants to make it his personal plaything, that's up to him.

I usually either work around bugs or use a different program -- I have a job to do and I don't always have the time to file reports. Usually, once I've figured out the workaround, the bug gets forgotten and I go back to my job. However if some contest came up and said "hey, you can make some dough if you further explore and exploit that bug you found a year back," depending on how hard up for cash I was, it might grab my attention.

A contest like this is to give folks like 'nils' incentive to develop a workable exploit (not the same as discovering the bug) and come forward. It also gives these bugs a higher profile than they might otherwise have had (especially when reporting to the 'Queen of Denial' ... not sure if that refers to Apple or MS this week, but either way if my bug report vanishes in to the 'ether' and can't be properly tracked, I'm much less inclined to give them the benefit of my free quality control.)

better to sit on it than sell

to be honest, it was better of him to sit on it for a year than sell it to the underworld for $100k - yes, the exploit may have been found by someone else during the year and he should have told Apple but i return to my first point.

my wifes PC has had 2 attempted web hacks in the past week - the 'general internet' is getting filled with dodgy exploit and javascript laden sites, false redirects etc. I'd estimate that 70% of sites out there are infected and dodgy now. This competition highlights my usual 'use firefox rather than IE' is becoming a weaker protection layer too. IE with all security settings 100% on and firefox with noscript etc etc are handy stepping stones but its a sad day when the best browsing platform

to use is a VM session that can be 0wned and then reloaded started from scratch when that happens :-(

In defense of Charlie Miller

To those criticizing Charlie Miller for sitting on a Safari bug for more than 12 months, please consider the following:

A bug isn't the same thing as an exploit. While Miller discovered the bug more than a year ago, it was only recently that he figured out a way to exploit it so he could remotely execute code. Charlie told me he spent considerable time an effort making this happen. Meanwhile, he has paying clients and hard deadlines to meet. Under the circumstances, I don't think there's anything wrong with him dusting off an old bug when entering this contest.

Not quite cycical enough.

Given a bit of time the secret will get out and they're using your exploit without paying you.

Develop a new exploit, but the blackhats all have a perfectly good working one and so don't want to pay.

Your nasty old exploit that has long since ceased paying out.

Give your exploit to some grad student as a way to look good and get some cash to fund the studies (likely enough into the next exploit, which he may feel indebted enough to share with you) and let him win the competition. Doesn't really matter if he does or not.

Nasty old exploit becomes public domain and gets closed.

Black hats have to pay top dollar again for the new one.

Repeat next year at a different hacking contest so as not to raise suspicion.

Opera schloppera

I found a bug in Opera, reported it twice and had no acknowledgement either time. The bug was still there last time I checked. Not a security issue, but why bother having a bug list in the first place?

Reporting bugs

Perhaps, I am a bit pessimistic, but I have a feeling that reporting bugs leads to no response at all, or a text saying the bug is well known and very very non critical or the police will search your house and confiscate your computers .

I also know of a 'bug'

in all major browsers (and including Opera) that allows me to spot user-agent spoofing regardless of the method. I can spot FF with its User-Agent Switcher spoofing IE, Opera or any other browser's header that can be put into it; I can also spot Opera's Mask As... and Identify As... feature. I've known about this flaw for nearly two years now, and it seems to have survived in all new versions of each browser.

Needless to say, I'm sitting on it and have no intention of revealing it to anyone, for several reasons, notably that banks and other sites like Microsoft that try to force you to use IE would inevitably use it to counter browser spoofing (and I like being able to use my bank's website without being forced into using Suxplorer). I also use it on our own company's websites to prevent them breaking when IE is spoofed by a non-MS browser (IE requires a different CSS than other browsers and spoofing it normally causes the IE CSS to load, breaking the site in the non-IE browser.) It also allows me to adjust site layouts to a particular browser (e.g. Opera uses a different line-height and letter-spacing than other browsers given the same values for these attributes in a CSS file) so that the site renders exactly the same in all browsers. I use this ability as part of my 'sell' to clients when I demonstrate how other sites break under these conditions, while our sites don't. Revealing it would be to give away that part of our 'edge'.

It's not a security problem as far as I can see, although an attacker might be able to use it to reliably determine which browser the user has and tailor their attacks accordingly; it's just the way each browser inadvertently reveals itself that lets me spot what it really is. But it does show some of the reasoning why people like Nils who discover such bugs and flaws might want to sit on them - knowing about a particular flaw can give you an edge in the fiercely competitive Web development market, quite aside from any financial rewards you may obtain by waiting for a better offer than just handing it over for nothing!

@Dan Goodin

Dan, please. As a security professional Charlie should hide bugs he knows about because he has clients and deadlines to meet? What, like everyone else, you mean?

This is why the black hats manage to get away with remote exploits for so long, because people with Charlie's mentality give them carte blanche to do so. The black hats aren't going to publish the keys to the kingdom. It helps if the supposed white hats do, for the security of all. If they don't give a shit unless they're getting a laptop out of it then we've got a problem ...

Perhaps you don't realise how many security products are based on open source tools and o/s? If everyone involved in open source had that attitude no security products would exist at all.